[strongSwan] SS5.1.0 and libipsec, configuration and usage questions

Kimmo K koippa at gmail.com
Wed Jan 8 17:13:50 CET 2014 

2014/1/8 Martin Willi <martin at strongswan.org>:
Hello Martin

>> Would it be possible (in theory) to use two backends at the same, by
>> defining it connection based?
>
> Theoretically, why not. However, we currently create only one kernel
> backend instance. Creating another one and selecting the correct one for
> use adds another layer of complexity. We currently have no plans for
> such an extension. Looks like a rather exotic requirement?

What I have in mind is the similar behavior than Juniper has in it's
firewall's (not that I would like Juniper firewalls...) where you can
add policy based IPsec connections and you can also create route based
connections, where you add one ipsec interface per connection.

For example, you add st0.0 which points to your Frankfurt VPN server,
st0.1 which points to Bremen etc. Then you define basic IKEv1/v2
settings and tunnels with local/remote 0.0.0.0/0 traffic selectors are
negotiated to both Frankfurt and Bremen.

Then, you can add or remove routes to interfaces to send traffic to
the remote sites.

When networks change, no need to reconfigure VPN, tunnel is always up
and running, just route or delete routes to/from that interface.
And at the same time, you can create policy based VPN tunnels if
0.0.0.0/0 traffic selector is not what the other peers supports.

>
>> It would be nice if I could just add networks and routes to firewall
>> and that would affect to the net2net tunnels too.
>
> So you'd basically use the net2net tunnel more as a dumb pipe, and then
> dynamically manage routes to forward specific traffic?

Yes, as a dump pipe, that is the goal. Could be done with static or
dynamic routing. But this might not be good idea, I'm just trying to
mimic Junipers feature.

> I don't know your exact requirements, but instead of using libipsec you
> may also consider using a kernel-based IPsec backend and Netfilter
> marks. These marks are very powerful, and allow you to (dynamically)
> create firewall rules and tag individual packets to select the
> appropriate IPsec policy. Probably scales much better, and is way more
> flexible in selecting packets.

Netfilter marks would help me to select connection/SA, but would not
let me do overlapping traffic selectors?
Would this be possible, if I would set mark with iptables:

conn A
left=me
right=peer1
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
netfilter mark=1

conn B
left=me
right=peer2
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
netfilter mark=2


That would be a good solution if those traffic selectors could overlap.

Mfg,
Kimmo

More information about the Users mailing list